Protecting the Perimeter With OpenBSD

OpenBSD: Ultra-secure Unix variant in the *BSD operating system family
If Unix were a family, OpenBSD would be the crazy, paranoid uncle. As such, the operating system performs best for low-traffic Web sites requiring strong protection.

The Unix operating system has so many descendants and variations that organizations navigating the maze of choices can quickly become disoriented. Many of these projects were launched to offer operating systems unencumbered by the commercial and proprietary licenses tied to the original AT&T UNIX. One of the first open source major branches to develop this way is the BSD family, which has since spawned a number of descendants, including FreeBSD, NetBSD, and OpenBSD. Apple's Mac OS X is also based on a BSD operating system known as Darwin.

When trying to decide on an operating system, bear in mind that it is not so much a case that one Unix operating system is "better" than another, but which is the best choice for a given environment.

People often use the term "family" to describe the lineage of Unix operating systems, and the word is an apt metaphor. Think of each operating system as being a distinct personality  the erudite grandfather, the know-it-all cousin, the doting mother. Like a family, they have many traits and capabilities in common and also differ in their strengths and weaknesses. Therefore, when trying to decide on an operating system, bear in mind that it is not so much a case that one Unix operating system is "better" than another, but which is the best choice for a given environment. Would you rather take your cousin to the movies, or your grandfather to a nightclub?

OpenBSD, like many of the BSD variants, is obtained either via download or by purchasing a CD-ROM. The software itself is free and fully open source, although the CD-ROM distribution carries a $40 price tag that is a contribution to ongoing development. The CD images are not available for download (to further entice you to buy the packaged form), but the individual files are all freely available through links from the OpenBSD Web site. You can download a small bootstrap ISO that boots the OpenBSD installer and can then retrieve the rest of the system files either from CD or over the Internet (or via hard disk). The whole BSD installation is about 140 MB in size; opting out of extras, like games and the large X Windows GUI, saves at least 50 MB of download weight.

OpenBSD in Action

To get to the heart of the matter, OpenBSD is not an operating system heavy on hand-holding and "wizards." The installation process pulls no punches. It is purely text-based and begins with a series of questions. For each question, a default answer is supplied. For the question "Proceed with install?" the default answer is "no." That alone should tell you something: Know what ye are doing before ye pass through these gates.

The first few installation questions are relatively simple to answer. Then comes the hard disk setup. The preamble begins, "For complex disk configurations, relevant disk hardware manuals and a calculator are useful." You need to manually set up the partitions and mount points for the OpenBSD install. Examples on the OpenBSD Web site make the process doable, but it is not a procedure for the computer novice  particularly if the hard disk already contains valuable data.

In the Unix-like family, OpenBSD is akin to the crazy, paranoid uncle. Not necessarily in a bad way.

In the Unix family, OpenBSD is akin to the crazy, paranoid uncle. Not necessarily in a bad way. OpenBSD is very particular about what it wants to accomplish, and it does this very well. That means security. OpenBSD is designed to be secure from the bottom up and from the top down. From the beginning, every line of code has been continually audited for flaws and vulnerabilities (this is an ongoing process since hackers are always developing new techniques). The initial install does not enable any system services that are not absolutely necessary for basic operation. Consequently, administrators must consciously enable features. And, without a warm and fuzzy GUI with which to do so, the idea is that admins better know what they are doing.

OpenBSD uses strong cryptography throughout the operating system. This means that even details as mundane as user passwords are encrypted using heavy duty algorithms. OpenBSD offers stronger, deeper encryption throughout the operating system than comparable ones because, as a product of Canada, it is not bound by the export laws of the United States, which put restrictions on cryptography. It is perfectly legal to use OpenBSD in the United States, but a U.S.-based vendor would not be able to legally export a product with the same type of strong cryptography.

The Achilles heel of OpenBSD is its scalability. Detailed benchmarks demonstrate that under high loads in large scale network situations (e.g., a heavily trafficked Web server) OpenBSD performs significantly slower than comparable products, including those with NetBSD and the Linux distros, particularly those with the 2.6 Linux kernel. This is why OpenBSD is typically used to implement security (e.g., as a firewall/router configuration).

To put it another way, while you do want your crazy paranoid uncle guarding your front door at night, you don't necessarily want him throwing a dinner party for 50. Which isn't to say that OpenBSD can't serve the Web: Its Apache implementation has been specially secured by OpenBSD. But it will perform best for low-traffic Web sites requiring strong protection. The key theme here is small and secure  therein lies the strength of OpenBSD.

Pros: Small distribution; highly secure; high portability to many hardware platforms.Cons: Not for the novice administrator; esoteric installation routine; weak scalability.